Gitiles
Code Review Sign In
gerrit.onosproject.org / onos / 9e51fd0a7eca54c1396f5e7e3e30a1f48b864db9 / . / core / security / src / main / java / org / onosproject / security / impl / SecurityModeManager.java
blob: 325f49bee9d83711ffd07b9b8b5effb0e8df0321 [file] [log] [blame]
Brian O'Connor91d07982015-09-10 16:37:29 -0700[diff] [blame]1/*
2 * Copyright 2015 Open Networking Laboratory
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
Changhoon Yoonb856b812015-08-10 03:47:19 +0900[diff] [blame]16package org.onosproject.security.impl;
17
18import com.google.common.collect.Lists;
19
20import org.apache.felix.scr.annotations.Component;
21import org.apache.felix.scr.annotations.Reference;
22import org.apache.felix.scr.annotations.ReferenceCardinality;
23import org.apache.felix.scr.annotations.Activate;
24import org.apache.felix.scr.annotations.Deactivate;
25import org.apache.felix.scr.annotations.Service;
26
27import org.onosproject.app.ApplicationAdminService;
28import org.onosproject.app.ApplicationState;
29import org.onosproject.core.Application;
30import org.onosproject.core.ApplicationId;
31
32import org.onosproject.event.EventDeliveryService;
33import org.onosproject.event.ListenerRegistry;
34import org.onosproject.security.AppPermission;
35import org.onosproject.security.SecurityAdminService;
36import org.onosproject.security.store.SecurityModeEvent;
37import org.onosproject.security.store.SecurityModeListener;
38import org.onosproject.security.store.SecurityModeStore;
39import org.onosproject.security.store.SecurityModeStoreDelegate;
40import org.osgi.framework.BundleContext;
41import org.osgi.framework.FrameworkUtil;
42import org.osgi.framework.ServicePermission;
43import org.osgi.service.log.LogEntry;
44import org.osgi.service.log.LogListener;
45import org.osgi.service.log.LogReaderService;
46import org.osgi.service.permissionadmin.PermissionInfo;
47
48import java.security.AccessControlException;
49import java.security.Permission;
50import java.util.ArrayList;
51import java.util.List;
52import java.util.Map;
53import java.util.Set;
54import java.util.concurrent.ConcurrentHashMap;
55
56import org.osgi.service.permissionadmin.PermissionAdmin;
57import org.slf4j.Logger;
58
59import static org.slf4j.LoggerFactory.getLogger;
60
Changhoon Yoonb856b812015-08-10 03:47:19 +0900[diff] [blame]61/**
62 * Security-Mode ONOS management implementation.
Brian O'Connor91d07982015-09-10 16:37:29 -0700[diff] [blame]63 *
64 * Note: Activating Security-Mode ONOS has significant performance implications in Drake.
65 * See the wiki for instructions on how to activate it.
Changhoon Yoonb856b812015-08-10 03:47:19 +0900[diff] [blame]66 */
67
68@Component(immediate = true)
69@Service
70public class SecurityModeManager implements SecurityAdminService {
71
72 @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
73 protected SecurityModeStore store;
74
75 @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
76 protected ApplicationAdminService appAdminService;
77
78 @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
79 protected LogReaderService logReaderService;
80
81 @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
82 protected EventDeliveryService eventDispatcher;
83
84 private final Logger log = getLogger(getClass());
85
86 protected final ListenerRegistry<SecurityModeEvent, SecurityModeListener>
87 listenerRegistry = new ListenerRegistry<>();
88
89 private final SecurityModeStoreDelegate delegate = new InternalStoreDelegate();
90
91 private SecurityLogListener securityLogListener = new SecurityLogListener();
92
93 private PermissionAdmin permissionAdmin = getPermissionAdmin();
94
95
96 @Activate
97 public void activate() {
98
99 eventDispatcher.addSink(SecurityModeEvent.class, listenerRegistry);
100 // add Listeners
101 logReaderService.addLogListener(securityLogListener);
102
103 store.setDelegate(delegate);
104
105 if (System.getSecurityManager() == null) {
106 log.warn("J2EE security manager is disabled.");
107 deactivate();
108 return;
109 }
110 if (permissionAdmin == null) {
111 log.warn("Permission Admin not found.");
112 deactivate();
113 return;
114 }
115
116 log.info("Security-Mode Started");
117 }
118
119 @Deactivate
120 public void deactivate() {
121 eventDispatcher.removeSink(SecurityModeEvent.class);
122 logReaderService.removeLogListener(securityLogListener);
123 store.unsetDelegate(delegate);
124 log.info("Stopped");
125
126 }
127
128 @Override
129 public boolean isSecured(ApplicationId appId) {
130 if (store.getState(appId) == null) {
131 store.registerApplication(appId);
132 }
133 return store.isSecured(appId);
134 }
135
136
137 @Override
138 public void review(ApplicationId appId) {
139 if (store.getState(appId) == null) {
140 store.registerApplication(appId);
141 }
142 store.reviewPolicy(appId);
143 }
144
145 @Override
146 public void acceptPolicy(ApplicationId appId) {
147 if (store.getState(appId) == null) {
148 store.registerApplication(appId);
149 }
150 store.acceptPolicy(appId, DefaultPolicyBuilder.convertToOnosPermissions(getMaximumPermissions(appId)));
151 }
152
153 @Override
154 public void register(ApplicationId appId) {
155 store.registerApplication(appId);
156 }
157
158 @Override
159 public Map<Integer, List<Permission>> getPrintableSpecifiedPermissions(ApplicationId appId) {
160 return getPrintablePermissionMap(getMaximumPermissions(appId));
161 }
162
163 @Override
164 public Map<Integer, List<Permission>> getPrintableGrantedPermissions(ApplicationId appId) {
165 return getPrintablePermissionMap(
166 DefaultPolicyBuilder.convertToJavaPermissions(store.getGrantedPermissions(appId)));
167 }
168
169 @Override
170 public Map<Integer, List<Permission>> getPrintableRequestedPermissions(ApplicationId appId) {
171 return getPrintablePermissionMap(
172 DefaultPolicyBuilder.convertToJavaPermissions(store.getRequestedPermissions(appId)));
173 }
174
175 private class SecurityLogListener implements LogListener {
176 @Override
177 public void logged(LogEntry entry) {
178 if (entry.getException() != null &&
179 entry.getException() instanceof AccessControlException) {
180 String location = entry.getBundle().getLocation();
181 Permission javaPerm =
182 ((AccessControlException) entry.getException()).getPermission();
183 org.onosproject.security.Permission permission = DefaultPolicyBuilder.getOnosPermission(javaPerm);
184 if (permission == null) {
185 log.warn("Unsupported permission requested.");
186 return;
187 }
188 store.getApplicationIds(location).stream().filter(
189 appId -> store.isSecured(appId) &&
190 appAdminService.getState(appId) == ApplicationState.ACTIVE).forEach(appId -> {
191 store.requestPermission(appId, permission);
192 print("[POLICY VIOLATION] APP: %s / Bundle: %s / Permission: %s ",
193 appId.name(), location, permission.toString());
194 });
195 }
196 }
197 }
198
199 private class InternalStoreDelegate implements SecurityModeStoreDelegate {
200 @Override
201 public void notify(SecurityModeEvent event) {
202 if (event.type() == SecurityModeEvent.Type.POLICY_ACCEPTED) {
203 setLocalPermissions(event.subject());
204 log.info("{} POLICY ACCEPTED and ENFORCED", event.subject().name());
205 } else if (event.type() == SecurityModeEvent.Type.POLICY_VIOLATED) {
206 log.info("{} POLICY VIOLATED", event.subject().name());
207 } else if (event.type() == SecurityModeEvent.Type.POLICY_REVIEWED) {
208 log.info("{} POLICY REVIEWED", event.subject().name());
209 }
210 eventDispatcher.post(event);
211 }
212 }
213
214 /**
215 * TYPES.
216 * 0 - APP_PERM
217 * 1 - ADMIN SERVICE
218 * 2 - NB_SERVICE
219 * 3 - ETC_SERVICE
220 * 4 - ETC
221 * @param perms
222 */
223 private Map<Integer, List<Permission>> getPrintablePermissionMap(List<Permission> perms) {
224 ConcurrentHashMap<Integer, List<Permission>> sortedMap = new ConcurrentHashMap<>();
225 sortedMap.put(0, new ArrayList());
226 sortedMap.put(1, new ArrayList());
227 sortedMap.put(2, new ArrayList());
228 sortedMap.put(3, new ArrayList());
229 sortedMap.put(4, new ArrayList());
230 for (Permission perm : perms) {
231 if (perm instanceof ServicePermission) {
232 if (DefaultPolicyBuilder.getNBServiceList().contains(perm.getName())) {
233 if (perm.getName().contains("Admin")) {
234 sortedMap.get(1).add(perm);
235 } else {
236 sortedMap.get(2).add(perm);
237 }
238 } else {
239 sortedMap.get(3).add(perm);
240 }
241 } else if (perm instanceof AppPermission) {
242 sortedMap.get(0).add(perm);
243 } else {
244 sortedMap.get(4).add(perm);
245 }
246 }
247 return sortedMap;
248 }
249
250 private void setLocalPermissions(ApplicationId applicationId) {
251 for (String location : store.getBundleLocations(applicationId)) {
252 permissionAdmin.setPermissions(location, permissionsToInfo(store.getGrantedPermissions(applicationId)));
253 }
254 }
255
256 private PermissionInfo[] permissionsToInfo(Set<org.onosproject.security.Permission> permissions) {
257 List<PermissionInfo> result = Lists.newArrayList();
258 for (org.onosproject.security.Permission perm : permissions) {
259 result.add(new PermissionInfo(perm.getClassName(), perm.getName(), perm.getActions()));
260 }
261 PermissionInfo[] permissionInfos = new PermissionInfo[result.size()];
262 return result.toArray(permissionInfos);
263 }
264
265
266
267 private List<Permission> getMaximumPermissions(ApplicationId appId) {
268 Application app = appAdminService.getApplication(appId);
269 if (app == null) {
270 print("Unknown application.");
271 return null;
272 }
273 List<Permission> appPerms;
274 switch (app.role()) {
275 case ADMIN:
276 appPerms = DefaultPolicyBuilder.getAdminApplicationPermissions(app.permissions());
277 break;
278 case USER:
279 appPerms = DefaultPolicyBuilder.getUserApplicationPermissions(app.permissions());
280 break;
281 case UNSPECIFIED:
282 default:
283 appPerms = DefaultPolicyBuilder.getDefaultPerms();
284 break;
285 }
286
287 return appPerms;
288 }
289
290
291 private void print(String format, Object... args) {
292 System.out.println(String.format("SM-ONOS: " + format, args));
293 log.warn(String.format(format, args));
294 }
295
296 private PermissionAdmin getPermissionAdmin() {
297 BundleContext context = getBundleContext();
298 return (PermissionAdmin) context.getService(context.getServiceReference(PermissionAdmin.class.getName()));
299 }
300
301 private BundleContext getBundleContext() {
302 return FrameworkUtil.getBundle(this.getClass()).getBundleContext();
303
304 }
305}